Skip to content
Permalink
Browse files

Add additional serialize tests for fixed bugs

These have been fixed as a side-effect of the delayed __wakeup
patch.
  • Loading branch information...
nikic committed Jan 16, 2017
1 parent 50b3832 commit 6477bb724e0c4e95dfc8f315cac4b7e7a692b0f8
@@ -0,0 +1,63 @@
--TEST--
Bug #69425: Use After Free in unserialize()
--FILE--
<?php
// POC 1
class test
{
var $ryat;
function __wakeup()
{
$this->ryat = 1;
}
}
$data = unserialize('a:2:{i:0;O:4:"test":1:{s:4:"ryat";R:1;}i:1;i:2;}');
var_dump($data);
// POC 2
$data = unserialize('a:2:{i:0;O:12:"DateInterval":1:{s:1:"y";R:1;}i:1;i:2;}');
var_dump($data);
?>
--EXPECT--
int(1)
array(2) {
[0]=>
object(DateInterval)#1 (15) {
["y"]=>
int(-1)
["m"]=>
int(-1)
["d"]=>
int(-1)
["h"]=>
int(-1)
["i"]=>
int(-1)
["s"]=>
int(-1)
["weekday"]=>
int(-1)
["weekday_behavior"]=>
int(-1)
["first_last_day_of"]=>
int(-1)
["invert"]=>
int(0)
["days"]=>
int(-1)
["special_type"]=>
int(0)
["special_amount"]=>
int(-1)
["have_weekday_relative"]=>
int(0)
["have_special_relative"]=>
int(0)
}
[1]=>
int(2)
}
@@ -0,0 +1,39 @@
--TEST--
Bug #70513: GMP Deserialization Type Confusion Vulnerability
--SKIPIF--
<?php if (!extension_loaded('gmp')) die('skip requires gmp');
--FILE--
<?php
class obj
{
var $ryat;
function __wakeup()
{
$this->ryat = 1;
}
}
$obj = new stdClass;
$obj->aa = 1;
$obj->bb = 2;
$inner = 's:1:"1";a:3:{s:2:"aa";s:2:"hi";s:2:"bb";s:2:"hi";i:0;O:3:"obj":1:{s:4:"ryat";R:2;}}';
$exploit = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
$x = unserialize($exploit);
var_dump($x);
var_dump($obj);
?>
--EXPECT--
array(1) {
[0]=>
int(1)
}
object(stdClass)#1 (2) {
["aa"]=>
int(1)
["bb"]=>
int(2)
}
@@ -0,0 +1,18 @@
--TEST--
Bug #72731: Type Confusion in Object Deserialization
--FILE--
<?php
class obj {
var $ryat;
function __wakeup() {
$this->ryat = 0x1122334455;
}
}
$poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;}}';
var_dump(unserialize($poc));
?>
--EXPECT--
int(73588229205)

0 comments on commit 6477bb7

Please sign in to comment.
You can’t perform that action at this time.